Snort mailing list archives
Not sure I'm seeing all traffic
From: "John Creegan" <jcreegan () questarweb com>
Date: Tue, 29 Mar 2005 08:53:01 -0600
Hi, everyone... Basics: Snort.2.3.2, base 1.0.2 I've read Snort 2.0 Intrusion Detection (Syngress) Intrusion Detection with Snort (Sams) Intrusion Detection with Snort (Rehman) And thousands of emails from the users group. I've got my sniffing interface in promiscuous mode on a mirrored port. The source port is the one my perimeter firewall is plugged into. I'm thinking that this means that my sniffing interface *should* be seeing all traffic going out of the firewall *and* all traffic that the firewall is passing in. My first question is: Is that correct? I'm running two snort instances on the same box. One for logging, one for alerting. I'm attempting to verify that the alerting instance is catching everything. No matter how much I read on the differences between the alert and log facilities I've remained confused as to how logging works. Alerting is easy...say something when a rule is violated. Logging also seems affected by the rules (as in when I comment one out the logging instance no longer reports it either). My second question is: Why is that? The "-z est" argument has always troubled me. I know it's there (thanks, Marty) to defeat stick attacks, but the argument "-z est" has never worked. At least older versions of snort wouldn't start with that in the command line. "-z" has, so for the past three years I've never known whether I really am looking at only established traffic or not. And when looking for chat rule violations I don't know whether I should be...especially with the newer "flow:established" criteria written at the rule level. My third (and final) question is: Does anyone know of more resources than I've read that can help me to understand all this better? I'll appreciate any (positive) suggestions anyone cares to provide. Thanks! This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Not sure I'm seeing all traffic John Creegan (Mar 29)